QEMU, a fast and portable dynamic translator
ATEC '05 Proceedings of the annual conference on USENIX Annual Technical Conference
A proposal for an integrated memory acquisition mechanism
ACM SIGOPS Operating Systems Review
SMM rootkits: a new breed of OS independent malware
Proceedings of the 4th international conference on Security and privacy in communication netowrks
HyperCheck: a hardware-assisted integrity monitor
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Live and trustworthy forensic analysis of commodity production systems
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Firmware-assisted Memory Acquisition and Analysis tools for Digital Forensics
SADFE '11 Proceedings of the 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering
A hardware-based memory acquisition procedure for digital investigations
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Hi-index | 0.00 |
The acquisition of volatile memory of running systems has become a prominent and essential procedure in digital forensic analysis and incident responses. In fact, unencrypted passwords, cryptographic material, text fragments and latest-generation malware may easily be protected as encrypted blobs on persistent storage, while living seamlessly in the volatile memory of a running system. Likewise, systems' run-time information, such as open network connections, open files and running processes, are by definition live entities that can only be observed by examining the volatile memory of a running system. In this context, tampering of volatile data while an acquisition is in progress or during transfer to an external trusted entity is an ongoing issue as it may irremediably invalidate the collected evidence. To overcome such issues, we present SMMDumper, a novel technique to perform atomic acquisitions of volatile memory of running systems. SMMDumper is implemented as an x86 firmware, which leverages the System Management Mode of Intel CPUs to create a complete and reliable snapshot of the state of the system that, with a minimal hardware support, is resilient to malware attacks. To the best of our knowledge, SMMDumper is the first technique that is able to atomically acquire the whole volatile memory, overcoming the SMM-imposed 4GB barrier while providing integrity guarantees and running on commodity systems. Experimental results show that the time SMMDumper requires to acquire and transfer 6GB of physical memory of a running system is reasonable to allow for a real-world adoption in digital forensic analyses and incident responses.